Nimda worm: 'Worse than Melissa?'

The Nimda worm, which hit the internet yesterday, is already set to be on a par with the largest outbreaks such as Melissa and the Love Bug, according to anti-virus vendors.

Reports in the first few hours since the worm was spotted confirm it is the fastest spreading virus ever.

Anti-virus software provider McAfee said it has already brought Fortune 100 companies down. Jack Clark, European product manager for the firm, said: "The traffic this worm is generating is bringing companies to their knees. It's time to batten down the hatches."

He added: "In terms of traffic this is certainly up there with the worst viruses we've ever seen - but at the moment it's spreading so fast it's impossible to keep count."

The worm is particularly virulent because it uses a number of different methods to propagate - spreading via email as well as across the internet via web servers.

The worm - full name W32.Nimda.A@mm - firstly attacks vulnerabilities in Microsoft's IIS web server software in a similar way to the Code Red and Code Blue viruses, using a server already compromised by Code Red II to propagate. However, not being content with exploiting just one hole, it probes for a total of 16 different vulnerabilities according to initial analyses.

The virus also spreads by sending an email with a random subject line and an attachment entitled README.EXE. However, Symantec claims this title will not be visible to recipients of the email. If you do receive it, McAfee recommends identifying it by the size of the attachment - 56Kb or 57Kb - much larger than most email attachments.

When executed the file burrows into the email client and sends itself to everyone in your address book.

It also tries to contact other machines directly across corporate networks, and exposes a victim's hard drive to hackers.

MessageLabs also warned that users of Internet Explorer without the latest patches would be vulnerable merely by surfing a web page that has been hit.

David Perry, director of public education for Trend Micro, said: "We've had to knock out the walls and rebuild the house to incorporate this in our previous definitions of viruses. This is an order of magnitude more complex. No-one knows the full extent of what it can do yet."

Perry said half of all visitors to the Trend Micro site in the last 24 hours were infected by the worm.

Virus experts say the worm causes damage by the sheer volume of traffic it creates, not by properties of the actual payload itself.

The payload is essentially benign, opening up the possibility of hybrid versions that are more destructive still, complete with a damaging payload.

Perry said: "Yes it's always possible a more damaging version could be built - but to be honest this is bad enough."

As yet the origin of the worm is unclear, the only clue being initial sightings, which MessageLabs says was in Korea.

Reports on news wires say the virus was released into the wild exactly one week after the terrorist attack on the WTC towers in New York. US Attorney General John Ashcroft has already denied a link between the two events.

Patches can be found at: http://www.microsoft.com/technet/security/bulletin/ms00-078.asp and http://www.microsoft.com/technet/security/bulletin/MS01-020.asp. Contact your anti-virus vendor for the latest updates to your anti-virus software.